Merge pull request #929 from safing/fix/hot-things

Fix fs error handling and other things

cmds/portmaster-start/lock.go

@@ -3,6 +3,7 @@ package main
 import (
 	"errors"
 	"fmt"
+	"io/fs"
 	"log"
 	"os"
 	"os/user"
@@ -14,26 +15,12 @@ import (
 )
 
 func checkAndCreateInstanceLock(path, name string, perUser bool) (pid int32, err error) {
-	var lockFilePath string
-	if perUser {
-		// Get user ID for per-user lock file.
-		var userID string
-		usr, err := user.Current()
-		if err != nil {
-			log.Printf("failed to get current user: %s\n", err)
-			userID = "no-user"
-		} else {
-			userID = usr.Uid
-		}
-		lockFilePath = filepath.Join(dataRoot.Path, path, fmt.Sprintf("%s-%s-lock.pid", name, userID))
-	} else {
-		lockFilePath = filepath.Join(dataRoot.Path, path, fmt.Sprintf("%s-lock.pid", name))
-	}
+	lockFilePath := getLockFilePath(path, name, perUser)
 
 	// read current pid file
 	data, err := os.ReadFile(lockFilePath)
 	if err != nil {
-		if os.IsNotExist(err) {
+		if errors.Is(err, fs.ErrNotExist) {
 			// create new lock
 			return 0, createInstanceLock(lockFilePath)
 		}
@@ -100,7 +87,23 @@ func createInstanceLock(lockFilePath string) error {
 	return nil
 }
 
-func deleteInstanceLock(path, name string) error {
-	lockFilePath := filepath.Join(dataRoot.Path, path, fmt.Sprintf("%s-lock.pid", name))
-	return os.Remove(lockFilePath)
+func deleteInstanceLock(path, name string, perUser bool) error {
+	return os.Remove(getLockFilePath(path, name, perUser))
+}
+
+func getLockFilePath(path, name string, perUser bool) string {
+	if !perUser {
+		return filepath.Join(dataRoot.Path, path, fmt.Sprintf("%s-lock.pid", name))
+	}
+
+	// Get user ID for per-user lock file.
+	var userID string
+	usr, err := user.Current()
+	if err != nil {
+		log.Printf("failed to get current user: %s\n", err)
+		userID = "no-user"
+	} else {
+		userID = usr.Uid
+	}
+	return filepath.Join(dataRoot.Path, path, fmt.Sprintf("%s-%s-lock.pid", name, userID))
 }

cmds/portmaster-start/run.go

@@ -172,7 +172,7 @@ func run(opts *Options, cmdArgs []string) (err error) {
 			return fmt.Errorf("another instance of %s is already running: PID %d", opts.Name, pid)
 		}
 		defer func() {
-			err := deleteInstanceLock(opts.LockPathPrefix, opts.ShortIdentifier)
+			err := deleteInstanceLock(opts.LockPathPrefix, opts.ShortIdentifier, opts.LockPerUser)
 			if err != nil {
 				log.Printf("failed to delete instance lock: %s\n", err)
 			}

cmds/updatemgr/sign.go

@@ -3,6 +3,7 @@ package main
 import (
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
@@ -79,7 +80,7 @@ func sign(cmd *cobra.Command, args []string) error {
 			// Check if there is an existing signature.
 			_, err := os.Stat(file.Path() + filesig.Extension)
 			switch {
-			case err == nil || os.IsExist(err):
+			case err == nil || errors.Is(err, fs.ErrExist):
 				// If the file exists, just verify.
 				fileData, err := filesig.VerifyFile(
 					file.Path(),
@@ -97,7 +98,7 @@ func sign(cmd *cobra.Command, args []string) error {
 					verified++
 				}
 
-			case os.IsNotExist(err):
+			case errors.Is(err, fs.ErrNotExist):
 				// Attempt to sign file.
 				fileData, err := filesig.SignFile(
 					file.Path(),
@@ -123,10 +124,10 @@ func sign(cmd *cobra.Command, args []string) error {
 	}
 
 	if verified > 0 {
-		fmt.Printf("[STAT] verified %d files", verified)
+		fmt.Printf("[STAT] verified %d files\n", verified)
 	}
 	if signed > 0 {
-		fmt.Printf("[STAT] signed %d files", signed)
+		fmt.Printf("[STAT] signed %d files\n", signed)
 	}
 	if fails > 0 {
 		return fmt.Errorf("signing or verification failed on %d files", fails)
@@ -170,7 +171,7 @@ func signIndex(cmd *cobra.Command, args []string) error {
 		// Check if there is an existing signature.
 		_, err := os.Stat(sigFile)
 		switch {
-		case err == nil || os.IsExist(err):
+		case err == nil || errors.Is(err, fs.ErrExist):
 			// If the file exists, just verify.
 			fileData, err := filesig.VerifyFile(
 				file,
@@ -189,7 +190,7 @@ func signIndex(cmd *cobra.Command, args []string) error {
 			}
 
 			fallthrough
-		case os.IsNotExist(err):
+		case errors.Is(err, fs.ErrNotExist):
 			// Attempt to sign file.
 			fileData, err := filesig.SignFile(
 				file,

firewall/api.go

@@ -63,7 +63,7 @@ func startAPIAuth() {
 }
 
 func apiAuthenticator(r *http.Request, s *http.Server) (token *api.AuthToken, err error) {
-	if devMode() {
+	if configReady.IsSet() && devMode() {
 		return &api.AuthToken{
 			Read:  api.PermitSelf,
 			Write: api.PermitSelf,

firewall/config.go

@@ -1,6 +1,8 @@
 package firewall
 
 import (
+	"github.com/tevino/abool"
+
 	"github.com/safing/portbase/api"
 	"github.com/safing/portbase/config"
 	"github.com/safing/portbase/notifications"
@@ -119,6 +121,8 @@ var (
 	filterEnabled     config.BoolOption
 	tunnelEnabled     config.BoolOption
 	useCommunityNodes config.BoolOption
+
+	configReady = abool.New()
 )
 
 func getConfig() {
@@ -128,4 +132,6 @@ func getConfig() {
 	filterEnabled = config.Concurrent.GetAsBool(CfgOptionEnableFilterKey, true)
 	tunnelEnabled = config.Concurrent.GetAsBool(captain.CfgOptionEnableSPNKey, false)
 	useCommunityNodes = config.Concurrent.GetAsBool(captain.CfgOptionUseCommunityNodesKey, true)
+
+	configReady.Set()
 }

firewall/interception.go

@@ -116,9 +116,9 @@ func resetAllConnectionVerdicts() {
 
 	// Create tracing context.
 	ctx, tracer := log.AddTracer(context.Background())
-	defer tracer.Submit()
 
 	// Re-evaluate all connections.
+	var changedVerdicts int
 	for _, conn := range network.GetAllConnections() {
 		func() {
 			conn.Lock()
@@ -129,11 +129,11 @@ func resetAllConnectionVerdicts() {
 			// - Redirected DNS requests
 			// - SPN Uplink to Home Hub
 			if conn.Internal {
-				log.Tracef("skipping internal connection %s", conn)
+				tracer.Tracef("filter: skipping internal connection %s", conn)
 				return
 			}
 
-			log.Tracer(ctx).Debugf("filter: re-evaluating verdict of %s", conn)
+			tracer.Debugf("filter: re-evaluating verdict of %s", conn)
 			previousVerdict := conn.Verdict.Firewall
 
 			// Apply privacy filter and check tunneling.
@@ -143,19 +143,22 @@ func resetAllConnectionVerdicts() {
 			if conn.Verdict.Active != network.VerdictRerouteToTunnel && conn.TunnelContext != nil {
 				err := conn.TunnelContext.StopTunnel()
 				if err != nil {
-					log.Debugf("filter: failed to stopped unneeded tunnel: %s", err)
+					tracer.Debugf("filter: failed to stopped unneeded tunnel: %s", err)
 				}
 			}
 
 			// Save if verdict changed.
 			if conn.Verdict.Firewall != previousVerdict {
 				conn.Save()
 				tracer.Infof("filter: verdict of connection %s changed from %s to %s", conn, previousVerdict.Verb(), conn.VerdictVerb())
+				changedVerdicts++
 			} else {
 				tracer.Tracef("filter: verdict to connection %s unchanged at %s", conn, conn.VerdictVerb())
 			}
 		}()
 	}
+	tracer.Infof("profile: changed verdict on %d connections", changedVerdicts)
+	tracer.Submit()
 
 	err := interception.ResetVerdictOfAllConnections()
 	if err != nil {

go.mod

@@ -16,9 +16,9 @@ require (
 	github.com/jackc/puddle/v2 v2.0.0-beta.1
 	github.com/miekg/dns v1.1.50
 	github.com/oschwald/maxminddb-golang v1.10.0
-	github.com/safing/jess v0.3.0
-	github.com/safing/portbase v0.16.1
-	github.com/safing/spn v0.5.2
+	github.com/safing/jess v0.3.1
+	github.com/safing/portbase v0.16.2
+	github.com/safing/spn v0.5.3
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/spf13/cobra v1.5.0
 	github.com/spkg/zipfs v0.7.1
@@ -28,7 +28,7 @@ require (
 	github.com/umahmood/haversine v0.0.0-20151105152445-808ab04add26
 	golang.org/x/net v0.0.0-20221004154528-8021a29435af
 	golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0
-	golang.org/x/sys v0.0.0-20221006211917-84dc82d7e875
+	golang.org/x/sys v0.0.0-20221010170243-090e33056c14
 	zombiezen.com/go/sqlite v0.10.1
 )
 
@@ -80,7 +80,7 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
 	github.com/zalando/go-keyring v0.2.1 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
-	golang.org/x/crypto v0.0.0-20221005025214-4161e89ecf1b // indirect
+	golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/tools v0.1.12 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

go.sum

@@ -186,17 +186,14 @@ github.com/rot256/pblind v0.0.0-20211117203330-22455f90b565 h1:jVOT0WWSrjQx6pYq4
 github.com/rot256/pblind v0.0.0-20211117203330-22455f90b565/go.mod h1:SI9+Ls7HSJkgYArhh8oBPhXiNL7tJltkU1H6Pm2o8Zo=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/safing/jess v0.3.0 h1:NxerZE5Vrludn00gyR4VeZaNjbDYq/qBzmcV3SLfjd4=
 github.com/safing/jess v0.3.0/go.mod h1:JbYsPk5iJZx0OXDZeMcjS9qEdkGVUg+DCA8Fw2LdN9s=
+github.com/safing/jess v0.3.1 h1:cMZVhi2whW/YdD98MPLeLIWJndQ7o2QVt2HefQ/ByFA=
+github.com/safing/jess v0.3.1/go.mod h1:aj73Eot1zm2ETkJuw9hJlIO8bRom52uBbsCHemvlZmA=
 github.com/safing/portbase v0.15.2/go.mod h1:5bHi99fz7Hh/wOsZUOI631WF9ePSHk57c4fdlOMS91Y=
-github.com/safing/portbase v0.16.0 h1:oGu5xVuMyzkG6Fht+kKbyHvA8CEJEexuCvsYQuyh6vs=
-github.com/safing/portbase v0.16.0/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8=
-github.com/safing/portbase v0.16.1 h1:P3nSP76EEa1GnkruzZDau0deh64Va7J5bJQ66CB7RVk=
-github.com/safing/portbase v0.16.1/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8=
-github.com/safing/spn v0.5.1 h1:SPTG9S7BfUBpnrg8pmTFsaSlRowSljlZ0hT4NQFHnjE=
-github.com/safing/spn v0.5.1/go.mod h1:IuQNzXhR8sSi7sq4KXIH1rK9N3Z94A3nRgItjfDB6Dg=
-github.com/safing/spn v0.5.2 h1:Gl82Fhy8+tKAarLGakkug+xzuBUcjeA39Q495pfnDWk=
-github.com/safing/spn v0.5.2/go.mod h1:r2Ig1VN0jTXC0kjSrK0mk8q3StkFTlQL+k2oJi+3TMY=
+github.com/safing/portbase v0.16.2 h1:ZlCZBZkKmgJDR+sHSRbFc9mM8m9qYtu8agE1xCirvQU=
+github.com/safing/portbase v0.16.2/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8=
+github.com/safing/spn v0.5.3 h1:aebwD3RI7OqtbBDK9HoqhKHcEH/i021Klrkl+dOq1Dc=
+github.com/safing/spn v0.5.3/go.mod h1:HYcGGze78wlwXZxF1UMqZ7GuA6ILqvNrO9v23EpFQvM=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/seehuhn/fortuna v1.0.1 h1:lu9+CHsmR0bZnx5Ay646XvCSRJ8PJTi5UYJwDBX68H0=
@@ -280,8 +277,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20221005025214-4161e89ecf1b h1:huxqepDufQpLLIRXiVkTvnxrzJlpwmIWAObmcCcUFr0=
-golang.org/x/crypto v0.0.0-20221005025214-4161e89ecf1b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2 h1:x8vtB3zMecnlqZIwJNUUpwYKYSqCz5jXbiyv0ZJJZeI=
+golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -362,8 +359,8 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20221006211917-84dc82d7e875 h1:AzgQNqF+FKwyQ5LbVrVqOcuuFB67N47F9+htZYH0wFM=
-golang.org/x/sys v0.0.0-20221006211917-84dc82d7e875/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20221010170243-090e33056c14 h1:k5II8e6QD8mITdi+okbbmR/cIyEbeXLBhy5Ha4nevyc=
+golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

netenv/dbus_linux_test.go

@@ -1,6 +1,8 @@
 package netenv
 
 import (
+	"errors"
+	"io/fs"
 	"os"
 	"testing"
 )
@@ -12,7 +14,7 @@ func TestDbus(t *testing.T) {
 		t.Skip("skipping test in short mode because it fails in the CI")
 	}
 
-	if _, err := os.Stat("/var/run/dbus/system_bus_socket"); os.IsNotExist(err) {
+	if _, err := os.Stat("/var/run/dbus/system_bus_socket"); errors.Is(err, fs.ErrNotExist) {
 		t.Logf("skipping dbus tests, as dbus does not seem to be installed: %s", err)
 		return
 	}

network/proc/findpid.go

@@ -3,7 +3,9 @@
 package proc
 
 import (
+	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"time"
 
@@ -103,7 +105,7 @@ func findSocketFromPid(pid int, socketName string) bool {
 	for _, entry := range entries {
 		link, err := os.Readlink(fmt.Sprintf("/proc/%d/fd/%s", pid, entry))
 		if err != nil {
-			if !os.IsNotExist(err) {
+			if !errors.Is(err, fs.ErrNotExist) {
 				log.Warningf("proc: failed to read link /proc/%d/fd/%s: %s", pid, entry, err)
 			}
 			continue
@@ -122,7 +124,7 @@ func findSocketFromPid(pid int, socketName string) bool {
 func readDirNames(dir string) (names []string) {
 	file, err := os.Open(dir)
 	if err != nil {
-		if !os.IsNotExist(err) {
+		if !errors.Is(err, fs.ErrNotExist) {
 			log.Warningf("proc: could not open directory %s: %s", dir, err)
 		}
 		return

network/proc/pids_by_user.go

@@ -3,7 +3,9 @@
 package proc
 
 import (
+	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"strconv"
 	"sync"
@@ -50,7 +52,7 @@ func updatePids() {
 
 			statData, err := os.Stat(fmt.Sprintf("/proc/%d", pid))
 			if err != nil {
-				if !os.IsNotExist(err) {
+				if !errors.Is(err, fs.ErrNotExist) {
 					log.Warningf("proc: could not stat /proc/%d: %s", pid, err)
 				}
 				continue entryLoop

process/process.go

@@ -238,7 +238,7 @@ func loadProcess(ctx context.Context, pid int) (*Process, error) {
 	// Current working directory
 	// not yet implemented for windows
 	if runtime.GOOS != "windows" {
-		process.Cwd, err = pInfo.Cwd()
+		process.Cwd, err = pInfo.CwdWithContext(ctx)
 		if err != nil {
 			log.Warningf("process: failed to get Cwd: %s", err)
 		}

profile/framework.go

@@ -57,7 +57,7 @@ package profile
 // 				lastError = fmt.Errorf("constructed path \"%s\" from framework is not absolute", buildPath)
 // 				continue
 // 			}
-// 			if _, err := os.Stat(buildPath); os.IsNotExist(err) {
+// 			if _, err := os.Stat(buildPath); errors.Is(err, fs.ErrNotExist) {
 // 				lastError = fmt.Errorf("constructed path \"%s\" does not exist", buildPath)
 // 				continue
 // 			}

profile/get.go

@@ -221,7 +221,7 @@ profileFeed:
 	}
 
 	// Check if this profile is already active and return the active version instead.
-	if activeProfile := getActiveProfile(profile.ScopedID()); activeProfile != nil {
+	if activeProfile := getActiveProfile(profile.ScopedID()); activeProfile != nil && !activeProfile.IsOutdated() {
 		return activeProfile, nil
 	}